{"id":13772431,"url":"https://github.com/quora/pyanalyze","last_synced_at":"2026-04-05T17:44:09.745Z","repository":{"id":39849295,"uuid":"267139502","full_name":"quora/pyanalyze","owner":"quora","description":"A Python type checker","archived":false,"fork":false,"pushed_at":"2026-01-27T19:52:37.000Z","size":2799,"stargazers_count":382,"open_issues_count":61,"forks_count":41,"subscribers_count":7,"default_branch":"master","last_synced_at":"2026-04-05T17:44:05.209Z","etag":null,"topics":["linter","python","static-analysis","typechecker","types","typing"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/quora.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-05-26T20:00:01.000Z","updated_at":"2026-03-26T10:01:44.000Z","dependencies_parsed_at":"2024-01-08T03:04:46.741Z","dependency_job_id":"9bce1cff-5573-454d-a4cb-55c28f9e9725","html_url":"https://github.com/quora/pyanalyze","commit_stats":{"total_commits":510,"total_committers":10,"mean_commits":51.0,"dds":"0.045098039215686225","last_synced_commit":"0cfe48ad35550d036fea86555f3f41cc8f5997cd"},"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"purl":"pkg:github/quora/pyanalyze","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quora%2Fpyanalyze","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quora%2Fpyanalyze/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quora%2Fpyanalyze/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quora%2Fpyanalyze/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/quora","download_url":"https://codeload.github.com/quora/pyanalyze/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quora%2Fpyanalyze/sbom","scorecard":{"id":756278,"data":{"date":"2025-08-11","repo":{"name":"github.com/quora/pyanalyze","commit":"cecf6d82013710aa9c094b7b74f2cbcd773dc628"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.1,"checks":[{"name":"Maintained","score":7,"reason":"9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":2,"reason":"Found 5/19 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/doc.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/quora/pyanalyze/doc.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/doc.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/quora/pyanalyze/doc.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/quora/pyanalyze/lint.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/quora/pyanalyze/lint.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/lint.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/quora/pyanalyze/lint.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/quora/pyanalyze/publish.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/quora/pyanalyze/publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/quora/pyanalyze/publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/quora/pyanalyze/publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/quora/pyanalyze/publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/quora/pyanalyze/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/quora/pyanalyze/test.yml/master?enable=pin","Warn: pipCommand not pinned by hash: .github/workflows/doc.yml:29","Warn: pipCommand not pinned by hash: .github/workflows/doc.yml:30","Warn: pipCommand not pinned by hash: .github/workflows/doc.yml:31","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:32","Warn: pipCommand not pinned by hash: .github/workflows/test.yml:49","Info:   0 out of  10 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 third-party GitHubAction dependencies pinned","Info:   0 out of   5 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/doc.yml:1","Warn: no topLevel permission defined: .github/workflows/lint.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/publish.yml:14","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/publish.yml:47"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-22T21:45:59.450Z","repository_id":39849295,"created_at":"2025-08-22T21:45:59.451Z","updated_at":"2025-08-22T21:45:59.451Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31444702,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T15:22:31.103Z","status":"ssl_error","status_checked_at":"2026-04-05T15:22:00.205Z","response_time":75,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["linter","python","static-analysis","typechecker","types","typing"],"created_at":"2024-08-03T17:01:03.934Z","updated_at":"2026-04-05T17:44:09.725Z","avatar_url":"https://github.com/quora.png","language":"Python","funding_links":[],"categories":["Static Checks","Python","Static type checkers"],"sub_categories":[],"readme":"# pyanalyze\n\nPyanalyze is a semi-static type checker for Python code. Like a static type checker (e.g., mypy or pyright), it\ndetects type errors in your code so bugs can be found before they reach production. Unlike such tools, however,\nit imports the modules it type checks, enabling pyanalyze to understand many dynamic constructs that other type\ncheckers will reject. This property also makes it possible to extend pyanalyze with plugins that interact directly\nwith your code.\n\n## Usage\n\nYou can install pyanalyze with:\n\n```bash\n$ pip install pyanalyze\n```\n\nOnce it is installed, you can run pyanalyze on a Python file or package as follows:\n\n```bash\n$ python -m pyanalyze file.py\n$ python -m pyanalyze package/\n```\n\nBut note that this will try to import all Python files it is passed. If you have scripts that perform operations without `if __name__ == \"__main__\":` blocks, pyanalyze may end up executing them.\n\nIn order to run successfully, pyanalyze needs to be able to import the code it checks. To make this work you may have to manually adjust Python's import path using the `$PYTHONPATH` environment variable.\n\nFor quick experimentation, you can also use the `-c` option to directly type check a piece of code:\n\n```\n$ python -m pyanalyze -c 'import typing; typing.reveal_type(1)'\nRuntime type is 'int'\n\nRevealed type is 'Literal[1]' (code: reveal_type)\nIn \u003ccode\u003e at line 1\n   1: import typing; typing.reveal_type(1)\n                                        ^\n```\n\n### Configuration\n\nPyanalyze has a number of command-line options, which you can see by running `python -m pyanalyze --help`. Important ones include `-f`, which runs an interactive prompt that lets you examine and fix each error found by pyanalyze, and `--enable`/`--disable`, which enable and disable specific error codes.\n\nConfiguration through a `pyproject.toml` file is also supported. See\n[the documentation](https://pyanalyze.readthedocs.io/en/latest/configuration.html) for\ndetails.\n\n### Extending pyanalyze\n\nOne of the main ways to extend pyanalyze is by providing a specification for a particular function. This allows you to run arbitrary code that inspects the arguments to the function and raises errors if something is wrong.\n\nAs an example, suppose your codebase contains a function `database.run_query()` that takes as an argument a SQL string, like this:\n\n```python\ndatabase.run_query(\"SELECT answer, question FROM content\")\n```\n\nYou want to detect when a call to `run_query()` contains syntactically invalid SQL or refers to a non-existent table or column. You could set that up with code like this:\n\n```python\nfrom pyanalyze.error_code import ErrorCode\nfrom pyanalyze.signature import CallContext, Signature, SigParameter\nfrom pyanalyze.value import KnownValue, TypedValue, AnyValue, AnySource, Value\n\nfrom database import run_query, parse_sql\n\n\ndef run_query_impl(ctx: CallContext) -\u003e Value:\n    sql = ctx.vars[\"sql\"]\n    if not isinstance(sql, KnownValue) or not isinstance(sql.val, str):\n        ctx.show_error(\n            \"Argument to run_query() must be a string literal\",\n            ErrorCode.incompatible_call,\n        )\n        return AnyValue(AnySource.error)\n\n    try:\n        parsed = parse_sql(sql)\n    except ValueError as e:\n        ctx.show_error(\n            f\"Invalid sql passed to run_query(): {e}\",\n            ErrorCode.incompatible_call,\n        )\n        return AnyValue(AnySource.error)\n\n    # check that the parsed SQL is valid...\n\n    # pyanalyze will use this as the inferred return type for the function\n    return TypedValue(list)\n\n\n# in pyproject.toml, set:\n# known_signatures = [\"\u003cmodule\u003e.get_known_argspecs\"]\ndef get_known_argspecs(arg_spec_cache):\n    return {\n        # This infers the parameter types and names from the function signature\n        run_query: arg_spec_cache.get_argspec(\n            run_query, impl=run_query_impl\n        ),\n        # You can also write the signature manually\n        run_query: Signature.make(\n            [SigParameter(\"sql\", annotation=TypedValue(str))],\n            callable=run_query,\n            impl=run_query_impl,\n        ),\n    }\n```\n\n### Supported features\n\nPyanalyze generally aims to implement [the Python typing spec](https://typing.readthedocs.io/en/latest/spec/index.html),\nbut support for some features is incomplete. See [the documentation](https://pyanalyze.readthedocs.io/en/latest/)\nfor details.\n\n### Ignoring errors\n\nSometimes pyanalyze gets things wrong and you need to ignore an error it emits. This can be done as follows:\n\n- Add `# static analysis: ignore` on a line by itself before the line that generates the error.\n- Add `# static analysis: ignore` at the end of the line that generates the error.\n- Add `# static analysis: ignore` at the top of the file; this will ignore errors in the entire file.\n\nYou can add an error code, like `# static analysis: ignore[undefined_name]`, to ignore only a specific error code. This does not work for whole-file ignores. If the `bare_ignore` error code is turned on, pyanalyze will emit an error if you don't specify an error code on an ignore comment.\n\nPyanalyze does not currently support the standard `# type: ignore` comment syntax.\n\n### Python version support\n\nPyanalyze supports all versions of Python that have not reached end-of-life. Because it imports the code it checks, you have to run it using the same version of Python you use to run your code.\n\n## Contributing\n\nWe welcome your contributions. See [CONTRIBUTING.md](https://github.com/quora/pyanalyze/blob/master/CONTRIBUTING.md)\nfor how to get started.\n\n## Documentation\n\nDocumentation is available at [ReadTheDocs](https://pyanalyze.readthedocs.io/en/latest/)\nor on [GitHub](https://github.com/quora/pyanalyze/tree/master/docs).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquora%2Fpyanalyze","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fquora%2Fpyanalyze","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquora%2Fpyanalyze/lists"}